---
title: "Secrets Integration"
slug: /features/secrets
description: "Built-in support for secrets"
toc_max_heading_level: 2
---

import Tabs from '@theme/Tabs';
import TabItem from '@theme/TabItem';
import VideoPlayer from '@components/VideoPlayer';

Dagger natively supports reading confidential information ("secrets"), such as passwords, API keys, SSH keys, and access tokens, from multiple secret providers and has built-in safeguards to ensure that secrets do not leak into the open.

These secrets can be sourced from different secret providers, including the host environment, the host filesystem, the result of host command execution, and external secret managers [1Password](https://1password.com/) and [Vault](https://www.hashicorp.com/products/vault).

:::important
Dagger has built-in safeguards to ensure that secrets are used without exposing them in plaintext logs, writing them into the filesystem of containers you're building, or inserting them into the cache. This ensures that sensitive data does not leak - for example, in the event of a crash.
:::

Here's an example of a workflow that receives and uses a GitHub personal access token as a secret:

<Tabs groupId="language" queryString="sdk">
<TabItem value="go" label="Go">
```go file=./snippets/secrets/go/main.go
```
</TabItem>
<TabItem value="python" label="Python">
```python file=./snippets/secrets/python/main.py
```
</TabItem>
<TabItem value="typescript" label="TypeScript">
```typescript file=./snippets/secrets/typescript/index.ts
```
</TabItem>
<TabItem value="php" label="PHP">
```php file=./snippets/secrets/php/src/MyModule.php
```
</TabItem>
<TabItem value="java" label="Java">
```java file=./snippets/secrets/java/src/main/java/io/dagger/modules/mymodule/MyModule.java
```
</TabItem>
</Tabs>

### Host environment

The secret can be passed from the host environment via the `env` provider:

<VideoPlayer src="/img/current_docs/introduction/features/secrets-env.webm" alt="Secret from environment" />

### Files

Secrets can also be passed from host files via the `file` provider (shown below) or from host command output via the `cmd` provider:

<VideoPlayer src="/img/current_docs/introduction/features/secrets-file.webm" alt="Secret from file" />

### Hashicorp Vault and 1Password

Secrets can also be read from external secret managers, such as Vault (`vault`):

```shell
dagger call github-api --token=vault://credentials.github
```

Here is the same example, but using 1Password as the secret provider. The secret is passed from 1Password via the `op` provider. This requires the Dagger CLI to be authenticated with 1Password, which can be done by running `op signin` in the terminal.

```shell
dagger call github-api --token=op://infra/github/credential
```

<VideoPlayer src="/img/current_docs/introduction/features/secrets-1password.webm" alt="Secret from 1Password" />
